One of the most trusted forms of encryption and internet security (pre-NSA) from the company RSA Security (now part of EMC Corp.), is in question after a storm of revelations that emerged from leaked documents from the Edward Snowden.
The documents revealed that the NSA had created a faulty random number system (Dual_EC_DRBG), Dual Elliptic Curve, which the major security company RSA used in its BSAFE encryption number generator tool.
To date the RSA Security claimed that none of this was true, but a new Snowden document revealed that RSA received $10 million from the NSA to keep its encryption weak.
Researchers from Johns Hopkins, the University of Wisconsin, and the University of Illinois claim that the security company adopted a tool suggested to them by the NSA, the Extended Random extension that they used for "secure websites." Of course the tool left backdoors for the NSA and helped the intelligence agency to breach the Dual Elliptic Curve too quickly as reported by Reuters.
(it took the researchers 3 seconds to break a free version of BSafe for the C programming language even without Extended Random, because they had already generated enough random bits before the secure connection started.)
The Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC_DRBG) is a pseudo-random number generator developed by the National Security Agency (NSA) cryptographers and later adopted by the RSA Security in the security kit he was using, the BSAFE, which approved the Dual Elliptic Curve.
"While the Extended Random was not widely adopted, the new research sheds light on how the NSA extended the reach of its surveillance with alleged protection advice to various businesses."
Η RSA Security had denied the allegations, and said it had no intention of weakening the safety of its products. The Extended Random had been removed from its protection software RSA Security in the last six months.
"We could be more skeptical of the NSA's intentions," RSA Chief Technology Officer Sam Curry told Reuters. "They were trusted because they are tasked with the security of the U.S. government and critical infrastructure."
So far it has not been revealed whether RSA has received money from the NSA for adding this second backdoor or not. But the news still raises some troubling questions in everyone's mind about the relationship between the security agency and the US NSA.
